Security · Responsible Disclosure

Find a bug?
Tell us first.

We'd rather hear it from you than read about it later.

STRATUS AccessGov is hardened by 2,042 deterministic gates and an immutable forensic chain — but we don't pretend to be infallible. If you've found a security issue in our platform, our website, or the Hybrid Connector Gateway, this is the policy that governs how we engage.

Email [email protected] Trust Center
Response SLAs

Acknowledge in 24 hours.
Target patch or mitigation plan within 30 days.

Real numbers, not aspirational. Critical findings get same-day attention regardless of business hours.

24 hr
Initial acknowledgement
72 hr
Triage & severity rating
30 day
High-severity patch target
Same day
Critical-severity attention
Program Rules

Scope, safe harbor,
and the boundaries.

In Scope

Our production platform and infrastructure.

Production STRATUS AccessGov instances. The Hybrid Connector Gateway (HCG) agent. Our public APIs and webhooks. The website (stratusaccessgov.com) and any associated subdomains. Container images we publish. Authentication and authorization paths.

Out of Scope

Things we ask you not to test against.

Social engineering against our team or our customers. Physical attacks against our offices or infrastructure providers. Denial-of-service or volumetric attacks. Issues exclusively in third-party services we don't control (report those to the upstream provider). Issues requiring physical access to a customer's network.

Safe Harbor

Good-faith research is authorized.

Research conducted under this program — staying in scope, avoiding privacy harms, not exfiltrating customer data, disclosing through this program before public — is authorized and we will not pursue legal action.

If a third party (a customer, law enforcement) initiates action against you for research that complied with this program, contact us — we'll make our authorization explicit on the record.

What We Ask

The spirit, not just the letter.

Don't access more data than is needed to demonstrate the issue. Don't degrade service for customers. Don't publicly disclose before we've had a reasonable window to remediate (typically 90 days, negotiable for complex issues).

If you're not sure whether something is in scope, ask. [email protected]

Recognition

How we say thank you.

We're a small team. We can't write four-figure bounty checks yet — we're being honest about that. What we can offer: public acknowledgement (with permission), a permanent place on the Hall of Fame on this page, swag, a video call with the founder, and — for severe findings — a Founding Partner discount to your organization. As we scale, the program scales.